Security Materiality: Identifying Threat Types

Insiders? You hear that term a lot but at work how are you seriously supposed to identify one. Is there a typical profile you should be looking out for? Such a responsibility should not be left only to the IT department. There are some general behaviors that you can use to profile an insider threat and how much of a threat they will be.

Profiles of Insider

Data breaches come in many forms and typically they often: spills, leaks, espionage, or outright sabotage. Spills are mismanaged sensitive information without intent to cause damage. Leaks are intentional and often take the form of data being shared on social platforms or media outlets. Espionage, involves both an internal actor and outside actor, often this is sensitive information be shared on a secure channels from within to an outside actor. Sabotage is the intentional destruction of tangible and intangible assets. There are profiles of insiders associated with each type of breach which can help with prevention. The profiles are below:

Reckless Insiders

This insider is the most common type of insider threat. They are your everyday employee or executive. They have no malicious intent, but often spill information by way or negligent data handling or in some cases talking too much online or outside of work about sensitive topics. In many cases it can be related naive behavior. Many employees are vulnerable to this especially from external actors with malicious intents.

Typical Scenario:

John has worked late at the office and realizes he needs to take some work home with him. He decides to send himself files to his personal email address. Since he is tired he does not double check the address he typed in and hits send. Upon arriving home he realizes he sent files and information to an address he does not know. He is panicked but will handle it the next morning when he gets to the office.

These employees follow orders and procedures and often may not realize something is wrong. When they do realize they has been a spill or breach they are the first to report it to IT. The best approach to protect against them is a combination of continuous training and strong technical measures. In the example above John would arrive to work in the morning and talk to IT; he be relieved to know that the email was blocked from sending because his role is not authorized to send emails to people outside of the work domain. The education portion would help John but also would be targeted to protect against naivety. It is important to note again, these insiders are non-malicious.

The Sabotage Insider

Insiders set on sabotage often act to harm the organization in some way. They do this by either intentionally leaking or destroying tangible and intangible assets. The motivations for doing this can vary but they often boil down to divided loyalty, frustration, ego, or financial gain. The high profile leaks in the United States of Bradley Manning and Edward Snowden were examples of divided loyalty to the mission of the organization and their personal ideals, frustration can also be highlighted in their scenarios. The employees who are susceptible to sabotage for reasons of ego or financial gain are often frustrated or are managers who have more privileged access to data.

Scenario

In a medical facility a grounds security manager has been informed they are being terminated for improper conduct. He has till the end of the week to leave. However he asks if he can take the night shift for the week. Three days later the data center where digital hospital records are kept is vandalized and the center has face irreparable damage. There is no way to check security cameras to see who accessed the area where the servers were, they were off. The security manager finishes his week and leaves the job. Only months later is it discovered that he had coordinated with other security personnel to coordinate the physical attack.

In the scenario above there were many area which could have prevented this incident from happening: not authorizing the shift change, restricting access credentials, alerting other staff to be vigilant of suspicious behavior. However, there were many technological and process failures that could have avoided this outcome. It is for this reason it is important to understand anyone can be an insider threat, and to always have a response plan.

The Mole

The final type of insider is the most dangerous. They are involved with a third party outside the company and continuously pass information to them. So who are these insiders, often they are managers, administrators, or executives who have almost all privileges to company data. Their reasons are often financially motivated, rarely is it a case of divided loyalty. This is often the exchange of trade secrets.

Scenario

Lux Inc. a successful luxury hotel chain, started having problems between two executives and its Board. The executives left to diffuse the situation and somehow quickly had a job with Lux’s competitor Nice Inc. One year later their Nice Inc. was launching a brand of hotels that seemed to be a direct copy of one of Lux’s brands. The architecture, branding, tagline, and even messaging all seemed to be a mirror. IT administrators reviewed the records of the two executives who left and discovered that they had been feeding trade secrets from Lux to Nice for over three years. They were not on formal payroll for Nice but had equites with Nice which the two executives never disclosed to Lux.

The above scenario is fictitious, but the story is based on real events that happened between Starwood and Hilton in 2009. Espionage is a problem for both government and business, without adequate protection it could lead to the downfall of an organization. The Mole is the most dangerous thief because they can continue smiling to your face while funneling all of your efforts to your competition. Protecting against these insiders is tough and requires some very advanced behavioral monitoring technologies.

Insiders are not an abstraction they are the very people you work with. They come in many forms however understanding the profile of an insider can help you know what behaviours and motivations to seek out. This should help inform your decision on any insider threat detection technology your company decides to purchase to mitigate the chances of insider threat impacting you.

Isaac Kohen started his career in quantitative finance developing complex trading algorithms for a major Wall Street hedge fund. During his tenure at Wall Street and his subsequent experience securing highly sensitive data for large multi-national conglomerates, he identified the market need for a comprehensive insider threat and data loss prevention solution. And so, Teramind was born. Isaac is a well-recognized thought leader in the security industry with many of his articles published in Forbes, Inc, Tripwire, and CSO Online. Read more industry thought leadership articles on Isaac's LinkedIn.